1/* 2 * net/sched/ipt.c iptables target interface 3 * 4 *TODO: Add other tables. For now we only support the ipv4 table targets 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 * 11 * Copyright: Jamal Hadi Salim (2002-4) 12 */ 13 14#include <linux/types.h> 15#include <linux/kernel.h> 16#include <linux/string.h> 17#include <linux/errno.h> 18#include <linux/skbuff.h> 19#include <linux/rtnetlink.h> 20#include <linux/module.h> 21#include <linux/init.h> 22#include <linux/slab.h> 23#include <net/netlink.h> 24#include <net/pkt_sched.h> 25#include <linux/tc_act/tc_ipt.h> 26#include <net/tc_act/tc_ipt.h> 27 28#include <linux/netfilter_ipv4/ip_tables.h> 29 30 31#define IPT_TAB_MASK 15 32static struct tcf_common *tcf_ipt_ht[IPT_TAB_MASK + 1]; 33static u32 ipt_idx_gen; 34static DEFINE_RWLOCK(ipt_lock); 35 36static struct tcf_hashinfo ipt_hash_info = { 37 .htab = tcf_ipt_ht, 38 .hmask = IPT_TAB_MASK, 39 .lock = &ipt_lock, 40}; 41 42static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int hook) 43{ 44 struct xt_tgchk_param par; 45 struct xt_target *target; 46 int ret = 0; 47 48 target = xt_request_find_target(AF_INET, t->u.user.name, 49 t->u.user.revision); 50 if (IS_ERR(target)) 51 return PTR_ERR(target); 52 53 t->u.kernel.target = target; 54 par.table = table; 55 par.entryinfo = NULL; 56 par.target = target; 57 par.targinfo = t->data; 58 par.hook_mask = hook; 59 par.family = NFPROTO_IPV4; 60 61 ret = xt_check_target(&par, t->u.target_size - sizeof(*t), 0, false); 62 if (ret < 0) { 63 module_put(t->u.kernel.target->me); 64 return ret; 65 } 66 return 0; 67} 68 69static void ipt_destroy_target(struct ipt_entry_target *t) 70{ 71 struct xt_tgdtor_param par = { 72 .target = t->u.kernel.target, 73 .targinfo = t->data, 74 }; 75 if (par.target->destroy != NULL) 76 par.target->destroy(&par); 77 module_put(par.target->me); 78} 79 80static int tcf_ipt_release(struct tcf_ipt *ipt, int bind) 81{ 82 int ret = 0; 83 if (ipt) { 84 if (bind) 85 ipt->tcf_bindcnt--; 86 ipt->tcf_refcnt--; 87 if (ipt->tcf_bindcnt <= 0 && ipt->tcf_refcnt <= 0) { 88 ipt_destroy_target(ipt->tcfi_t); 89 kfree(ipt->tcfi_tname); 90 kfree(ipt->tcfi_t); 91 tcf_hash_destroy(&ipt->common, &ipt_hash_info); 92 ret = ACT_P_DELETED; 93 } 94 } 95 return ret; 96} 97 98static const struct nla_policy ipt_policy[TCA_IPT_MAX + 1] = { 99 [TCA_IPT_TABLE] = { .type = NLA_STRING, .len = IFNAMSIZ }, 100 [TCA_IPT_HOOK] = { .type = NLA_U32 }, 101 [TCA_IPT_INDEX] = { .type = NLA_U32 }, 102 [TCA_IPT_TARG] = { .len = sizeof(struct ipt_entry_target) }, 103}; 104 105static int tcf_ipt_init(struct nlattr *nla, struct nlattr *est, 106 struct tc_action *a, int ovr, int bind) 107{ 108 struct nlattr *tb[TCA_IPT_MAX + 1]; 109 struct tcf_ipt *ipt; 110 struct tcf_common *pc; 111 struct ipt_entry_target *td, *t; 112 char *tname; 113 int ret = 0, err; 114 u32 hook = 0; 115 u32 index = 0; 116 117 if (nla == NULL) 118 return -EINVAL; 119 120 err = nla_parse_nested(tb, TCA_IPT_MAX, nla, ipt_policy); 121 if (err < 0) 122 return err; 123 124 if (tb[TCA_IPT_HOOK] == NULL) 125 return -EINVAL; 126 if (tb[TCA_IPT_TARG] == NULL) 127 return -EINVAL; 128 129 td = (struct ipt_entry_target *)nla_data(tb[TCA_IPT_TARG]); 130 if (nla_len(tb[TCA_IPT_TARG]) < td->u.target_size) 131 return -EINVAL; 132 133 if (tb[TCA_IPT_INDEX] != NULL) 134 index = nla_get_u32(tb[TCA_IPT_INDEX]); 135 136 pc = tcf_hash_check(index, a, bind, &ipt_hash_info); 137 if (!pc) { 138 pc = tcf_hash_create(index, est, a, sizeof(*ipt), bind, 139 &ipt_idx_gen, &ipt_hash_info); 140 if (IS_ERR(pc)) 141 return PTR_ERR(pc); 142 ret = ACT_P_CREATED; 143 } else { 144 if (!ovr) { 145 tcf_ipt_release(to_ipt(pc), bind); 146 return -EEXIST; 147 } 148 } 149 ipt = to_ipt(pc); 150 151 hook = nla_get_u32(tb[TCA_IPT_HOOK]); 152 153 err = -ENOMEM; 154 tname = kmalloc(IFNAMSIZ, GFP_KERNEL); 155 if (unlikely(!tname)) 156 goto err1; 157 if (tb[TCA_IPT_TABLE] == NULL || 158 nla_strlcpy(tname, tb[TCA_IPT_TABLE], IFNAMSIZ) >= IFNAMSIZ) 159 strcpy(tname, "mangle"); 160 161 t = kmemdup(td, td->u.target_size, GFP_KERNEL); 162 if (unlikely(!t)) 163 goto err2; 164 165 if ((err = ipt_init_target(t, tname, hook)) < 0) 166 goto err3; 167 168 spin_lock_bh(&ipt->tcf_lock); 169 if (ret != ACT_P_CREATED) { 170 ipt_destroy_target(ipt->tcfi_t); 171 kfree(ipt->tcfi_tname); 172 kfree(ipt->tcfi_t); 173 } 174 ipt->tcfi_tname = tname; 175 ipt->tcfi_t = t; 176 ipt->tcfi_hook = hook; 177 spin_unlock_bh(&ipt->tcf_lock); 178 if (ret == ACT_P_CREATED) 179 tcf_hash_insert(pc, &ipt_hash_info); 180 return ret; 181 182err3: 183 kfree(t); 184err2: 185 kfree(tname); 186err1: 187 kfree(pc); 188 return err; 189} 190 191static int tcf_ipt_cleanup(struct tc_action *a, int bind) 192{ 193 struct tcf_ipt *ipt = a->priv; 194 return tcf_ipt_release(ipt, bind); 195} 196 197static int tcf_ipt(struct sk_buff *skb, struct tc_action *a, 198 struct tcf_result *res) 199{ 200 int ret = 0, result = 0; 201 struct tcf_ipt *ipt = a->priv; 202 struct xt_action_param par; 203 204 if (skb_cloned(skb)) { 205 if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) 206 return TC_ACT_UNSPEC; 207 } 208 209 spin_lock(&ipt->tcf_lock); 210 211 ipt->tcf_tm.lastuse = jiffies; 212 ipt->tcf_bstats.bytes += qdisc_pkt_len(skb); 213 ipt->tcf_bstats.packets++; 214 215 /* yes, we have to worry about both in and out dev 216 worry later - danger - this API seems to have changed 217 from earlier kernels */ 218 par.in = skb->dev; 219 par.out = NULL; 220 par.hooknum = ipt->tcfi_hook; 221 par.target = ipt->tcfi_t->u.kernel.target; 222 par.targinfo = ipt->tcfi_t->data; 223 ret = par.target->target(skb, &par); 224 225 switch (ret) { 226 case NF_ACCEPT: 227 result = TC_ACT_OK; 228 break; 229 case NF_DROP: 230 result = TC_ACT_SHOT; 231 ipt->tcf_qstats.drops++; 232 break; 233 case IPT_CONTINUE: 234 result = TC_ACT_PIPE; 235 break; 236 default: 237 if (net_ratelimit()) 238 pr_notice("tc filter: Bogus netfilter code" 239 " %d assume ACCEPT\n", ret); 240 result = TC_POLICE_OK; 241 break; 242 } 243 spin_unlock(&ipt->tcf_lock); 244 return result; 245 246} 247 248static int tcf_ipt_dump(struct sk_buff *skb, struct tc_action *a, int bind, int ref) 249{ 250 unsigned char *b = skb_tail_pointer(skb); 251 struct tcf_ipt *ipt = a->priv; 252 struct ipt_entry_target *t; 253 struct tcf_t tm; 254 struct tc_cnt c; 255 256 /* for simple targets kernel size == user size 257 ** user name = target name 258 ** for foolproof you need to not assume this 259 */ 260 261 t = kmemdup(ipt->tcfi_t, ipt->tcfi_t->u.user.target_size, GFP_ATOMIC); 262 if (unlikely(!t)) 263 goto nla_put_failure; 264 265 c.bindcnt = ipt->tcf_bindcnt - bind; 266 c.refcnt = ipt->tcf_refcnt - ref; 267 strcpy(t->u.user.name, ipt->tcfi_t->u.kernel.target->name); 268 269 NLA_PUT(skb, TCA_IPT_TARG, ipt->tcfi_t->u.user.target_size, t); 270 NLA_PUT_U32(skb, TCA_IPT_INDEX, ipt->tcf_index); 271 NLA_PUT_U32(skb, TCA_IPT_HOOK, ipt->tcfi_hook); 272 NLA_PUT(skb, TCA_IPT_CNT, sizeof(struct tc_cnt), &c); 273 NLA_PUT_STRING(skb, TCA_IPT_TABLE, ipt->tcfi_tname); 274 tm.install = jiffies_to_clock_t(jiffies - ipt->tcf_tm.install); 275 tm.lastuse = jiffies_to_clock_t(jiffies - ipt->tcf_tm.lastuse); 276 tm.expires = jiffies_to_clock_t(ipt->tcf_tm.expires); 277 NLA_PUT(skb, TCA_IPT_TM, sizeof (tm), &tm); 278 kfree(t); 279 return skb->len; 280 281nla_put_failure: 282 nlmsg_trim(skb, b); 283 kfree(t); 284 return -1; 285} 286 287static struct tc_action_ops act_ipt_ops = { 288 .kind = "ipt", 289 .hinfo = &ipt_hash_info, 290 .type = TCA_ACT_IPT, 291 .capab = TCA_CAP_NONE, 292 .owner = THIS_MODULE, 293 .act = tcf_ipt, 294 .dump = tcf_ipt_dump, 295 .cleanup = tcf_ipt_cleanup, 296 .lookup = tcf_hash_search, 297 .init = tcf_ipt_init, 298 .walk = tcf_generic_walker 299}; 300 301MODULE_AUTHOR("Jamal Hadi Salim(2002-4)"); 302MODULE_DESCRIPTION("Iptables target actions"); 303MODULE_LICENSE("GPL"); 304 305static int __init ipt_init_module(void) 306{ 307 return tcf_register_action(&act_ipt_ops); 308} 309 310static void __exit ipt_cleanup_module(void) 311{ 312 tcf_unregister_action(&act_ipt_ops); 313} 314 315module_init(ipt_init_module); 316module_exit(ipt_cleanup_module); 317